Doug #3 (Duke of Dougs)
Dan GoodinRemember those unwarranted warnings about juice jacking in airports from public phone charging kiosks at airports and other venues? The misinfo isn't just repeated by the FCC and other government agencies. Security snake oil companies like Osomprivacy (osomprivacy.com) also do it. This email promoting the completely unnecessary "privacy cable" even cites an article I wrote 2 months ago explaining why juice jacking is BS. When I pointed out to him that he was spreading misinfo, he only doubled down. I will be staying as far away from Osomprivacy as possible.
Random Damage 🌻@dangoodin regardless, a conventional outlet with your USB charger of choice is always safe and will probably give you better charge rates than whetever ancient USB-A connector a hotel or airport provides
i.grok@RandomDamage @dangoodin yeah, but the USB condom won't
keen456
keen456@dangoodin That surprises me- he used to be more rigorous (or maybe I'm remembering incorrectly?)
~@dangoodin would Ars's esteemed editors consider placing a note at the top of said cited article that Ars explicitly does not recommend products that claim to avert these attacks? Seems harmless since the article is pretty clear that this is nonsense anyway.
Alan Miller 
🇺🇦@dangoodin there are situations where using one (or just a charging cable with multiple ends because who's connecting data in those), most notably if you're using a public charging station at defcon.
VHaschIt's hard to accept his business is based on a lie. Too many samolians have passed between hands. 😏
lj·rk@dangoodin What frustrates me more is that there's a real threat through USB, but not through friggin' public ports >.< This is such a complex setup, you can get the same result much more easily:
Give away/drop/replace malicious USB cables. People will use these to actually indeed connect devices for data transfer (thus allow the connection) and you can MITM a lot of shit through that. It's still maybe a bit paranoid but *much* more realistic than anyone setting up malicious charging ports and going through the trouble of making them look official.
@ljrk If you read my Ars post (linked in my earlier toot) you'll see that there is currently no known way to use malicious cables to MiTM a device without requiring the user to take a bunch of unusual actions. I don't see much evidence of much of threat here.
@dangoodin This one?
https://arstechnica.com/information-technology/2023/05/fearmongering-over-public-charging-stations-needs-to-stop-heres-why/
I don't see anything there on that, except those two paragraphs which aren't really related:
> _“[…] In some cases, criminals may have intentionally left cables plugged in at charging stations. There have even been reports of infected cables being given away as promotional gifts.”_
and:
> _Left out of the advisories is that modern iPhones and Android devices require users to click through an explicit warning before they can exchange files with a device connected by **standard cables**._
(bold: mine). That's exactly not the scenario I and the original source above described. I even said that those cables would require user action, but I wouldn't say "data transfer" is unusual if that's *exactly what the user wants to do*.
Idk, we do attack devices at customers that way, and quite successfully so. But yes, I do not know how frequent this happens IRL, only how "realistic" or easy it is. Building a fake power dock? That's... determination. But handing out MITM cables? That's just like Bad USB attacks, surprisingly easy to pull off.
@ljrk Apologies if I'm misunderstanding what you were saying. I'm just trying to point out that the use of malicious cables to infect mobile devices is extremely difficult. Specifically:
"There are some major limitations, however, that make the O.MG Cable and similar hacking tools unsuitable for the kind of opportunistic juice jacking the FCC and FBI warnings envision. First, the script must be tailored to the specific model of hardware being attacked. The script needed to hack a Samsung Galaxy phone will be different from the one needed to hack a Motorola. A script targeting an iPhone would be altogether different.
That means it’s infeasible, if not impossible, to create a malicious charging station that could hack more than a very small number of phones in use today. That still leaves open the possibility of a fake charging station that targets, say, only iPhone 14 or Pixel 7 models, but it significantly limits the reach of such attacks.
Another shortcoming is that the OTG adaptor turns the phone into a USB host, meaning the phone—which is already running low on battery power—must supply power to the cable rather than the other way around. This limitation undermines the whole subterfuge of a charging station and may also kill the remaining battery life before an attack has a chance to progress.
For iPhones, the O.MG cable is even more poorly suited to juice jacking. For one, iPhones require users to enter a password (or provide a facial scan) before an app will install. (The Pixel 7 I tested did not; some Android devices may.) That requirement significantly limits the effectiveness of the attack.
Additionally, the O.MG cable works only on Apple devices equipped with a USB-C connector. To hack an iOS device with a Lightning connector, a juice jacker would need an additional Lightning adapter that would be physically obvious to the person using the booby-trapped charger.
There are at least two other theoretically possible methods. One is targeting the debugging interface of the connected phone. There are several off-the-shelf products that allow hackers to interact with the debug interface on phones. For iPhones, there's the Tamarin "cable," but that has an easy-to-spot Raspberry Pi hanging off of it. Also problematic: Like the O.MG, these devices can't charge a phone when they're accessing the file system of the connected device.
The other possible method uses newer, more experimental types of hardware that allow charging even while turning the iPhone into a USB Host. This video demonstrates a prototype of such hardware.
Finally, besides there being no universal script that will work on hundreds or even dozens of different devices, the customized scripts are non-trivial to write. They require a high skill level and a huge amount of trial-and-error troubleshooting."
It may be easier to use something like an O.MG cable to infect a macOS or Windows device, though.
@dangoodin Don't worry, I think the primary difference is that we're talking infection of a device vs. MITM of two victim devices, e.g., a malicious cable between a victims phone and laptop. They want to transfer data (thus clicking "allow" on various popups) and the attacker can sniff and/or inject commands.
It *is* much more difficult to actually infect the mobile device fully (e.g., installing a malicious app). The distinction between those two different attacking modes isn't that clear in this quote. At the same time I must say that reasons like
- you need different scripts per target
- high skill required
are bullshit reasons IMHO. First, I can simply detect which device is on the other side and select my script based on that. There are a lot of scripts online to source from, so I don't even need to write them myself. And yes, a certain skill level above "script kiddie" is required but there are enough of those people out there 0:-)
Further, things like "it's actually consuming energy" are reasons that don't really matter IMHO, the attack would ideally be quick and the mode changed afterwards. Users tend not check their phone immediately whether it actually has charged continuously.
The other difference is not about the goal but about the method chosen...
@dangoodin While we established that the goal "MITM" is much more feasible than "infection", the method can also have an impact. The "traditional" juice jacking scenario I'd consider unlikely as well: Building such a power station is quite elaborate investment with dubious pay off. Simply floating some cables *regardless* of an attacker controlled station is a different thing though. This plus doing a MITM attack is quite feasible.
If one was to carry out an attack through a malicious station though, the reason that there's a RasPi hanging down from the other side doesn't really float to me. That's... hidden.
So to me the matrix is:
Goal: MITM vs infection. The former is quite easy as there's no real vulnerability in the OS to exploit, the latter does require some actual software exploitation.
Method: cable vs. station. Through a cable is rather effortless but has its limits, a custom "fake" station is high effort but possibly very high impact.
Thiago Figueiró@dangoodin to be fair, the tone of your email is pretty harsh. When people get shoved, they push back.
Fennix 
@dangoodin Since you published that article, were you ever able to get information out of the government as to why they issued the warning in the first place? I know they're quoted therein saying "just a PSA" but I mean, something must have caused them to reissue it?
While I agree it's not a real threat compared to the dozens of other things you should be worrying about, there is one thing in your article that is kind of glossed over, probably for brevity:
Left out of the advisories is that modern iPhones and Android devices require users to click through an explicit warning before they can exchange files with a device connected by standard cables.
When connecting any device via USB, typically you get some information about the vendor and product of the device automatically, even before answering prompts about allowing debugging or storage access. While it's unlikely, it's not impossible to use this information to roughly target zero day exploits at certain models of device. I say roughly because the Vendor and Product values are frequently reused across models.
In the screenshots that follow the quoted section above, for example, when you are on the "Charging this device via USB" option on Android, the Vendor and Product information is visible to the connected host. It's enough to know the vendor at least in a bunch of cases I looked at quickly here (Multiple Google Nexuses, two Samsungs, and a Motorola). Generally you can tell it's an iPhone or a Google Nexus phone, but in modern times not often down to the individual model.
I raise this only because you also later mention in the article (and downthread I see) that someone would need to make something custom for each phone in order to exploit zero days or fake keyboard input, which, given the above, is accurate but not quite the whole picture. It's possible it's cost prohibitive, but if you're able to steal someone's credit card info this way and turn that over a few hundred bucks a time, you probably only need a handful of wins for it to pay off.
The bigger question to me is why LE can't just point you at a case where it's been relevant since 2018 (and since vendors have tightened things up).
That all said, the bigger threat, as pointed out in your article, is the quality (or lack thereof) of the power delivery and trusting that someone hasn't fucked something up somewhere in a way that's gonna damage my stuff while traveling.
Guillaume Rossolini@dangoodin
Funny how someone shared a cropped clip from the French evening TV news
The clip that’s circulating, does not mention how end users can protect themselves:
https://www.facebook.com/lhoussaineSry/videos/1356681291544405/
The source, not cropped:
https://www.tf1info.fr/amp/high-tech/video-tf1-alerte-du-fbi-sur-le-juice-jacking-ne-rechargez-pas-votre-telephone-n-importe-ou-2255798.html
The reporter isn’t making any attempt at providing a believable scenario, and yet, this gets shared
“You are running late at the airport but your ticket is on your phone and your battery is dead. You look around and lucky you, someone left a cable at the closest USB charging station.”
Of course the reporter and interviewees fail to address a few points that y’all know…
- it (the cable they are talking about) costs way too much: no attacker is going to spend upwards of €30 and possibly closer to €180, per attempt, to steal one random person’s maybe something or maybe not
- if the end user plugs in a USB condom with a hacked cable, they’re still out of luck
- this realistically only works in targeted attacks, far away from the people watching the evening news